add heracles

akerl · akerl · commit fc3a7ee00a59 · 2024-11-28T13:07:57.000-05:00
diff --git a/configvault.tf b/configvault.tf
@@ -22,5 +22,6 @@ module "puppet-vault" {
     "proxy",
     "mqtt",
     "ledgerdb",
+    "heracles",
   ]
 }
diff --git a/servers.tf b/servers.tf
@@ -90,6 +90,14 @@ module "metrics_validation" {
   zone_id     = module.zones["a-rwx.org"].zone_id
 }
 
+module "heracles_validation" {
+  source      = "armorfret/r53-certbot/aws"
+  version     = "0.6.4"
+  admin_email = var.admin_email
+  cert_name   = "heracles.servers.home.a-rwx.org"
+  zone_id     = module.zones["a-rwx.org"].zone_id
+}
+
 module "grafana_validation" {
   source      = "armorfret/r53-certbot/aws"
   version     = "0.6.4"
diff --git a/terraform.tfstate b/terraform.tfstate
@@ -1,7 +1,7 @@
 {
   "version": 4,
   "terraform_version": "1.5.7",
-  "serial": 12866,
+  "serial": 12875,
   "lineage": "6a6e3f47-d4c8-46eb-a34e-885062b7c62a",
   "outputs": {
     "domains": {
@@ -648,6 +648,7 @@
                   "10.0.1.117": "cultivator.servers",
                   "10.0.1.118": "unpoller.servers",
                   "10.0.1.119": "mqtt.servers",
+                  "10.0.1.120": "heracles.servers",
                   "10.0.1.150": "nas.servers",
                   "10.0.1.80": "hass.servers",
                   "10.0.1.91": "kiosk-office.servers",
@@ -800,6 +801,7 @@
                       "10.0.1.117": "string",
                       "10.0.1.118": "string",
                       "10.0.1.119": "string",
+                      "10.0.1.120": "string",
                       "10.0.1.150": "string",
                       "10.0.1.80": "string",
                       "10.0.1.91": "string",
@@ -5174,6 +5176,38 @@
             "module.zones.aws_route53_zone.this"
           ]
         },
+        {
+          "index_key": "10.0.1.120",
+          "schema_version": 2,
+          "attributes": {
+            "alias": [],
+            "allow_overwrite": null,
+            "cidr_routing_policy": [],
+            "failover_routing_policy": [],
+            "fqdn": "heracles.servers.home.a-rwx.org",
+            "geolocation_routing_policy": [],
+            "geoproximity_routing_policy": [],
+            "health_check_id": "",
+            "id": "Z06324102J3IVSSCKNZ4A_heracles.servers.home.a-rwx.org_A",
+            "latency_routing_policy": [],
+            "multivalue_answer_routing_policy": false,
+            "name": "heracles.servers.home.a-rwx.org",
+            "records": [
+              "10.0.1.120"
+            ],
+            "set_identifier": "",
+            "ttl": 60,
+            "type": "A",
+            "weighted_routing_policy": [],
+            "zone_id": "Z06324102J3IVSSCKNZ4A"
+          },
+          "sensitive_attributes": [],
+          "private": "eyJzY2hlbWFfdmVyc2lvbiI6IjIifQ==",
+          "dependencies": [
+            "data.terraform_remote_state.unifi",
+            "module.zones.aws_route53_zone.this"
+          ]
+        },
         {
           "index_key": "10.0.1.150",
           "schema_version": 2,
@@ -25330,8 +25364,10 @@
           "sensitive_attributes": [],
           "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6NjAwMDAwMDAwMDAwLCJ1cGRhdGUiOjYwMDAwMDAwMDAwMH19",
           "dependencies": [
-            "module.akerl-hook-site.module.apigw.module.lambda.aws_iam_role.lambda"
-          ]
+            "module.akerl-hook-site.module.apigw.module.lambda.aws_iam_role.lambda",
+            "module.akerl-hook-site.module.apigw.module.lambda.data.aws_iam_policy_document.trust"
+          ],
+          "create_before_destroy": true
         }
       ]
     },
@@ -38178,6 +38214,201 @@
         }
       ]
     },
+    {
+      "module": "module.heracles_validation",
+      "mode": "data",
+      "type": "aws_iam_policy_document",
+      "name": "certbot_validation",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "id": "2505638808",
+            "json": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"route53:ListHostedZonesByName\",\n        \"route53:ListHostedZones\",\n        \"route53:GetChange\"\n      ],\n      \"Resource\": \"*\"\n    },\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"route53:ListResourceRecordSets\",\n        \"route53:GetHostedZone\"\n      ],\n      \"Resource\": \"arn:aws:route53:::hostedzone/Z06324102J3IVSSCKNZ4A\"\n    },\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": \"route53:ChangeResourceRecordSets\",\n      \"Resource\": \"arn:aws:route53:::hostedzone/Z06324102J3IVSSCKNZ4A\",\n      \"Condition\": {\n        \"ForAllValues:StringEquals\": {\n          \"route53:ChangeResourceRecordSetsNormalizedRecordNames\": \"_acme-challenge.heracles.servers.home.a-rwx.org\"\n        }\n      }\n    }\n  ]\n}",
+            "minified_json": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"route53:ListHostedZonesByName\",\"route53:ListHostedZones\",\"route53:GetChange\"],\"Resource\":\"*\"},{\"Effect\":\"Allow\",\"Action\":[\"route53:ListResourceRecordSets\",\"route53:GetHostedZone\"],\"Resource\":\"arn:aws:route53:::hostedzone/Z06324102J3IVSSCKNZ4A\"},{\"Effect\":\"Allow\",\"Action\":\"route53:ChangeResourceRecordSets\",\"Resource\":\"arn:aws:route53:::hostedzone/Z06324102J3IVSSCKNZ4A\",\"Condition\":{\"ForAllValues:StringEquals\":{\"route53:ChangeResourceRecordSetsNormalizedRecordNames\":\"_acme-challenge.heracles.servers.home.a-rwx.org\"}}}]}",
+            "override_json": null,
+            "override_policy_documents": null,
+            "policy_id": null,
+            "source_json": null,
+            "source_policy_documents": null,
+            "statement": [
+              {
+                "actions": [
+                  "route53:GetChange",
+                  "route53:ListHostedZones",
+                  "route53:ListHostedZonesByName"
+                ],
+                "condition": [],
+                "effect": "Allow",
+                "not_actions": [],
+                "not_principals": [],
+                "not_resources": [],
+                "principals": [],
+                "resources": [
+                  "*"
+                ],
+                "sid": ""
+              },
+              {
+                "actions": [
+                  "route53:GetHostedZone",
+                  "route53:ListResourceRecordSets"
+                ],
+                "condition": [],
+                "effect": "Allow",
+                "not_actions": [],
+                "not_principals": [],
+                "not_resources": [],
+                "principals": [],
+                "resources": [
+                  "arn:aws:route53:::hostedzone/Z06324102J3IVSSCKNZ4A"
+                ],
+                "sid": ""
+              },
+              {
+                "actions": [
+                  "route53:ChangeResourceRecordSets"
+                ],
+                "condition": [
+                  {
+                    "test": "ForAllValues:StringEquals",
+                    "values": [
+                      "_acme-challenge.heracles.servers.home.a-rwx.org"
+                    ],
+                    "variable": "route53:ChangeResourceRecordSetsNormalizedRecordNames"
+                  }
+                ],
+                "effect": "Allow",
+                "not_actions": [],
+                "not_principals": [],
+                "not_resources": [],
+                "principals": [],
+                "resources": [
+                  "arn:aws:route53:::hostedzone/Z06324102J3IVSSCKNZ4A"
+                ],
+                "sid": ""
+              }
+            ],
+            "version": "2012-10-17"
+          },
+          "sensitive_attributes": []
+        }
+      ]
+    },
+    {
+      "module": "module.heracles_validation",
+      "mode": "managed",
+      "type": "aws_iam_user",
+      "name": "this",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "arn": "arn:aws:iam::764218738161:user/certbot_heracles.servers.home.a-rwx.org",
+            "force_destroy": false,
+            "id": "certbot_heracles.servers.home.a-rwx.org",
+            "name": "certbot_heracles.servers.home.a-rwx.org",
+            "path": "/",
+            "permissions_boundary": "",
+            "tags": null,
+            "tags_all": {},
+            "unique_id": "AIDA3D3X4QXY5553ZEJRS"
+          },
+          "sensitive_attributes": [],
+          "private": "bnVsbA=="
+        }
+      ]
+    },
+    {
+      "module": "module.heracles_validation",
+      "mode": "managed",
+      "type": "aws_iam_user_policy",
+      "name": "this",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "id": "certbot_heracles.servers.home.a-rwx.org:certbot_heracles.servers.home.a-rwx.org",
+            "name": "certbot_heracles.servers.home.a-rwx.org",
+            "name_prefix": "",
+            "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"route53:ListHostedZonesByName\",\"route53:ListHostedZones\",\"route53:GetChange\"],\"Effect\":\"Allow\",\"Resource\":\"*\"},{\"Action\":[\"route53:ListResourceRecordSets\",\"route53:GetHostedZone\"],\"Effect\":\"Allow\",\"Resource\":\"arn:aws:route53:::hostedzone/Z06324102J3IVSSCKNZ4A\"},{\"Action\":\"route53:ChangeResourceRecordSets\",\"Condition\":{\"ForAllValues:StringEquals\":{\"route53:ChangeResourceRecordSetsNormalizedRecordNames\":\"_acme-challenge.heracles.servers.home.a-rwx.org\"}},\"Effect\":\"Allow\",\"Resource\":\"arn:aws:route53:::hostedzone/Z06324102J3IVSSCKNZ4A\"}]}",
+            "user": "certbot_heracles.servers.home.a-rwx.org"
+          },
+          "sensitive_attributes": [],
+          "private": "bnVsbA==",
+          "dependencies": [
+            "module.heracles_validation.aws_iam_user.this",
+            "module.heracles_validation.data.aws_iam_policy_document.certbot_validation"
+          ]
+        }
+      ]
+    },
+    {
+      "module": "module.heracles_validation",
+      "mode": "managed",
+      "type": "aws_route53_record",
+      "name": "caa",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 2,
+          "attributes": {
+            "alias": [],
+            "allow_overwrite": null,
+            "cidr_routing_policy": [],
+            "failover_routing_policy": [],
+            "fqdn": "heracles.servers.home.a-rwx.org",
+            "geolocation_routing_policy": [],
+            "geoproximity_routing_policy": [],
+            "health_check_id": "",
+            "id": "Z06324102J3IVSSCKNZ4A_heracles.servers.home.a-rwx.org_CAA",
+            "latency_routing_policy": [],
+            "multivalue_answer_routing_policy": false,
+            "name": "heracles.servers.home.a-rwx.org",
+            "records": [
+              "0 iodef \"mailto:admin@lesaker.org\"",
+              "0 issue \"letsencrypt.org; validationmethods=dns-01\"",
+              "0 issuewild \";\""
+            ],
+            "set_identifier": "",
+            "ttl": 60,
+            "type": "CAA",
+            "weighted_routing_policy": [],
+            "zone_id": "Z06324102J3IVSSCKNZ4A"
+          },
+          "sensitive_attributes": [],
+          "private": "eyJzY2hlbWFfdmVyc2lvbiI6IjIifQ==",
+          "dependencies": [
+            "module.zones.aws_route53_zone.this"
+          ]
+        }
+      ]
+    },
+    {
+      "module": "module.heracles_validation",
+      "mode": "managed",
+      "type": "awscreds_iam_access_key",
+      "name": "this",
+      "provider": "provider[\"registry.terraform.io/armorfret/awscreds\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "file": "creds/certbot_heracles.servers.home.a-rwx.org",
+            "id": "AKIA3D3X4QXYQ7OHAEVH",
+            "user": "certbot_heracles.servers.home.a-rwx.org"
+          },
+          "sensitive_attributes": [],
+          "private": "bnVsbA==",
+          "dependencies": [
+            "module.heracles_validation.aws_iam_user.this"
+          ]
+        }
+      ]
+    },
     {
       "module": "module.influxdb_validation",
       "mode": "data",
@@ -39756,6 +39987,23 @@
           "sensitive_attributes": [],
           "private": "bnVsbA=="
         },
+        {
+          "index_key": "puppet-heracles",
+          "schema_version": 0,
+          "attributes": {
+            "arn": "arn:aws:iam::764218738161:user/puppet-heracles",
+            "force_destroy": false,
+            "id": "puppet-heracles",
+            "name": "puppet-heracles",
+            "path": "/",
+            "permissions_boundary": "",
+            "tags": null,
+            "tags_all": {},
+            "unique_id": "AIDA3D3X4QXY4Y763IBI3"
+          },
+          "sensitive_attributes": [],
+          "private": "bnVsbA=="
+        },
         {
           "index_key": "puppet-host",
           "schema_version": 0,
@@ -40054,6 +40302,23 @@
             "module.puppet-vault.data.aws_iam_policy_document.path_permissions"
           ]
         },
+        {
+          "index_key": "puppet-heracles",
+          "schema_version": 0,
+          "attributes": {
+            "id": "puppet-heracles:s3-path-permissions",
+            "name": "s3-path-permissions",
+            "name_prefix": "",
+            "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"s3:PutObject\",\"s3:GetObject\",\"s3:DeleteObject\"],\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::akerl-puppet/public/${aws:username}/*\",\"arn:aws:s3:::akerl-puppet/private/${aws:username}/*\"]},{\"Action\":\"s3:GetObject\",\"Effect\":\"Allow\",\"Resource\":\"arn:aws:s3:::akerl-puppet/public/*\"},{\"Action\":\"s3:ListBucket\",\"Condition\":{\"StringLike\":{\"s3:prefix\":[\"public/*\",\"private/${aws:username}/*\"]}},\"Effect\":\"Allow\",\"Resource\":\"arn:aws:s3:::akerl-puppet\"}]}",
+            "user": "puppet-heracles"
+          },
+          "sensitive_attributes": [],
+          "private": "bnVsbA==",
+          "dependencies": [
+            "module.puppet-vault.aws_iam_user.servers",
+            "module.puppet-vault.data.aws_iam_policy_document.path_permissions"
+          ]
+        },
         {
           "index_key": "puppet-host",
           "schema_version": 0,
@@ -40525,6 +40790,20 @@
             "module.puppet-vault.aws_iam_user.servers"
           ]
         },
+        {
+          "index_key": "puppet-heracles",
+          "schema_version": 0,
+          "attributes": {
+            "file": "creds/puppet-heracles",
+            "id": "AKIA3D3X4QXYRJMHUUEQ",
+            "user": "puppet-heracles"
+          },
+          "sensitive_attributes": [],
+          "private": "bnVsbA==",
+          "dependencies": [
+            "module.puppet-vault.aws_iam_user.servers"
+          ]
+        },
         {
           "index_key": "puppet-host",
           "schema_version": 0,
diff --git a/terraform.tfstate.backup b/terraform.tfstate.backup

Original file line number	Diff line number	Diff line change
`@@ -22,5 +22,6 @@ module "puppet-vault" {`
`22`	`22`	`"proxy",`
`23`	`23`	`"mqtt",`
`24`	`24`	`"ledgerdb",`
	`25`	`+ "heracles",`
`25`	`26`	`]`
`26`	`27`	`}`